It is also easy to prove that omitting addition or rotation is devastating, and such systems (XR and AX) can always be broken.

But I am not able to find any information on how to actually do it. Can anyone give a hint?

(Update:)

@CodesInChaos pointed out: "You can describe each output bit as the xor of a fixed set of input/key bits. This results in a few hundred linear equations modulo 2, which can be solved efficiently." For simple XR cipher, I understand how this works. But there are issues for me for more complex ones. Illustrated as follows:

So far so good. But what if the rotation bits in the above step E2 is not a constant 2, but changes with the input plain text? For example, let's modify the above cipher a little bit to this (cipher 2):

You can describe each output bit as the xor of a fixed set of input/key bits. This results in a few hundred linear equations modulo 2, which can be solved efficiently.
–
CodesInChaosJan 18 '13 at 22:08

Thanks a lot for the answer and the edit. I will look into it.
–
Penghe GengJan 19 '13 at 1:02

1 Answer
1

XOR operations, fixed bit movements (as in taking the 2 topmost bits or
concatenating bits etc.) and data dependent rotations form a
functional complete set of operations. This means that you can realize
any function between fixed length binary strings, including all possible
blockciphers, using them.

To show that these operations form a functional complete set one can show that
all operations of another functional complete set can be realized. For example
the set {NOT, AND}:

Realizing a NOT operation is easy, since this is only a XOR operation with
a 1 constant.

Realizing an AND operation requires the data dependent rotations. Given the
inputs $a$ and $b$ construct the value $v = RotLeft_{a}(0b)$. The leftmost
bit of $v$ is now the result of the AND operation of $a$ and $b$. This can
be verified by looking at the possible input values: If $a$ is zero the
rotation is does nothing and the leftmost bit stays zero. If $a$ is one the
rotation will move the value of $b$ to the leftmost bit and the result is
one exactly if $b$ is also one.

This would turn any algorithm that could break any cipher based on these
operations efficiently into an algorithm that breaks any arbitrary cipher
efficiently, unlikely to exist and certainly not known.

Nevertheless I would not assume that most or even many of the ciphers
constructed from these primitives are secure. For example: if there are only
few data dependent rotations and it is feasible to enumerate all possible
rotation count combinations, the system can be broken by just trying to solve
the resulting linear system for each combination.